@agenticmail/core 0.9.8 → 0.9.10

package/dist/index.js

@@ -24,8 +24,7 @@ var MailSender = class {
         pass: options.password
       },
       tls: {
-        rejectUnauthorized: false
-        // Local dev — no TLS
+        rejectUnauthorized: options.tlsRejectUnauthorized ?? true
       },
       connectionTimeout: 1e4,
       // 10s to establish TCP connection
@@ -3097,7 +3096,47 @@ var DomainManager = class {
 
 // src/gateway/manager.ts
 import { join as join4 } from "path";
+
+// src/crypto/secrets.ts
 import { createCipheriv, createDecipheriv, randomBytes as randomBytes2, createHash, scryptSync } from "crypto";
+function deriveKey(key, salt) {
+  return scryptSync(key, salt, 32, { N: 16384, r: 8, p: 1 });
+}
+function encryptSecret(plaintext, key) {
+  const salt = randomBytes2(16);
+  const derivedKey = deriveKey(key, salt);
+  const iv = randomBytes2(12);
+  const cipher = createCipheriv("aes-256-gcm", derivedKey, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return `enc2:${salt.toString("hex")}:${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+}
+function decryptSecret(value, key) {
+  if (value.startsWith("enc2:")) {
+    const parts = value.split(":");
+    if (parts.length !== 5) return value;
+    const [, saltHex, ivHex, authTagHex, ciphertextHex] = parts;
+    const derivedKey = deriveKey(key, Buffer.from(saltHex, "hex"));
+    const decipher = createDecipheriv("aes-256-gcm", derivedKey, Buffer.from(ivHex, "hex"));
+    decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
+    return Buffer.concat([decipher.update(Buffer.from(ciphertextHex, "hex")), decipher.final()]).toString("utf8");
+  }
+  if (value.startsWith("enc:")) {
+    const parts = value.split(":");
+    if (parts.length !== 4) return value;
+    const [, ivHex, authTagHex, ciphertextHex] = parts;
+    const keyHash = createHash("sha256").update(key).digest();
+    const decipher = createDecipheriv("aes-256-gcm", keyHash, Buffer.from(ivHex, "hex"));
+    decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
+    return Buffer.concat([decipher.update(Buffer.from(ciphertextHex, "hex")), decipher.final()]).toString("utf8");
+  }
+  return value;
+}
+function isEncryptedSecret(value) {
+  return typeof value === "string" && (value.startsWith("enc2:") || value.startsWith("enc:"));
+}
+
+// src/gateway/manager.ts
 import nodemailer3 from "nodemailer";
 
 // src/debug.ts
@@ -4374,6 +4413,130 @@ var TunnelManager = class {
 import MailComposer3 from "nodemailer/lib/mail-composer/index.js";
 
 // src/sms/manager.ts
+function asString(value) {
+  return typeof value === "string" ? value.trim() : "";
+}
+function defaultApiUrl(config) {
+  const url = (config.apiUrl || "https://api.46elks.com/a1").replace(/\/+$/, "");
+  if (!/^https:\/\//i.test(url)) {
+    throw new Error("46elks apiUrl must use https:// \u2014 refusing to send credentials over a non-TLS connection");
+  }
+  return url;
+}
+function basicAuth(username, password) {
+  return Buffer.from(`${username}:${password}`, "utf8").toString("base64");
+}
+function redactSmsConfig(config) {
+  return {
+    ...config,
+    forwardingPassword: config.forwardingPassword ? "***" : void 0,
+    password: config.password ? "***" : void 0,
+    webhookSecret: config.webhookSecret ? "***" : void 0
+  };
+}
+var GoogleVoiceSmsProvider = class {
+  id = "google_voice";
+  async sendSms(config, input) {
+    const to = normalizePhoneNumber(input.to);
+    const from = normalizePhoneNumber(config.phoneNumber);
+    if (!to) throw new Error("Invalid recipient phone number");
+    if (!from) throw new Error("Invalid configured Google Voice phone number");
+    return {
+      provider: this.id,
+      status: "pending",
+      from,
+      to,
+      body: input.body,
+      raw: {
+        delivery: "manual_google_voice_web",
+        url: "https://voice.google.com"
+      }
+    };
+  }
+  parseInboundSms() {
+    return null;
+  }
+};
+var FortySixElksSmsProvider = class {
+  id = "46elks";
+  async sendSms(config, input) {
+    const username = asString(config.username);
+    const password = asString(config.password);
+    if (!username || !password) {
+      throw new Error("46elks username and password are required");
+    }
+    const to = normalizePhoneNumber(input.to);
+    const from = normalizePhoneNumber(config.phoneNumber);
+    if (!to) throw new Error("Invalid recipient phone number");
+    if (!from) throw new Error("Invalid configured 46elks phone number");
+    const form = new URLSearchParams();
+    form.set("to", to);
+    form.set("from", from);
+    form.set("message", input.body);
+    if (input.dryRun) form.set("dryrun", "yes");
+    const response = await fetch(`${defaultApiUrl(config)}/sms`, {
+      method: "POST",
+      headers: {
+        "Authorization": `Basic ${basicAuth(username, password)}`,
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: form,
+      signal: AbortSignal.timeout(15e3)
+    });
+    const text = await response.text();
+    let raw = text;
+    try {
+      raw = JSON.parse(text);
+    } catch {
+    }
+    if (!response.ok) {
+      const message = typeof raw === "object" && raw && ("message" in raw || "error" in raw) ? String(raw.message ?? raw.error) : text.slice(0, 200);
+      throw new Error(`46elks SMS failed (${response.status}): ${message}`);
+    }
+    const providerId = typeof raw === "object" && raw && "id" in raw ? String(raw.id) : void 0;
+    const providerStatus = typeof raw === "object" && raw && "status" in raw ? String(raw.status) : "sent";
+    return {
+      provider: this.id,
+      id: providerId,
+      status: providerStatus,
+      from,
+      to,
+      body: input.body,
+      raw
+    };
+  }
+  parseInboundSms(payload) {
+    const direction = asString(payload.direction).toLowerCase();
+    if (direction && direction !== "incoming") return null;
+    const from = normalizePhoneNumber(asString(payload.from));
+    const to = normalizePhoneNumber(asString(payload.to));
+    const body = asString(payload.message);
+    if (!from || !to || !body) return null;
+    return {
+      provider: this.id,
+      id: asString(payload.id) || void 0,
+      from,
+      to,
+      body,
+      timestamp: asString(payload.created) || (/* @__PURE__ */ new Date()).toISOString(),
+      raw: payload
+    };
+  }
+};
+var PROVIDERS = {
+  google_voice: new GoogleVoiceSmsProvider(),
+  "46elks": new FortySixElksSmsProvider()
+};
+function getSmsProvider(provider) {
+  return PROVIDERS[provider];
+}
+function mapProviderSmsStatus(status) {
+  const normalized = status.toLowerCase();
+  if (normalized === "delivered") return "delivered";
+  if (normalized === "failed" || normalized === "error") return "failed";
+  if (normalized === "created" || normalized === "queued" || normalized === "sent") return "sent";
+  return "sent";
+}
 function normalizePhoneNumber(raw) {
   const cleaned = raw.replace(/[^+\d]/g, "");
   if (!cleaned) return null;
@@ -4480,12 +4643,48 @@ function extractVerificationCode(smsBody) {
   }
   return null;
 }
+var SMS_SECRET_FIELDS = ["password", "webhookSecret", "forwardingPassword"];
 var SmsManager = class {
-  constructor(db2) {
+  /**
+   * Optional master key used to encrypt SMS credentials at rest (same
+   * AES-256-GCM scheme GatewayManager uses for relay/domain secrets).
+   * When absent (e.g. tests, or a deployment with no master key) configs
+   * are stored as-is and reads tolerate plaintext — so upgrades and
+   * downgrades both stay safe.
+   */
+  constructor(db2, encryptionKey) {
     this.db = db2;
+    this.encryptionKey = encryptionKey;
     this.ensureTable();
   }
   initialized = false;
+  /** Encrypt the credential fields of an SMS config before persisting. */
+  encryptConfig(config) {
+    if (!this.encryptionKey) return config;
+    const out = { ...config };
+    for (const field of SMS_SECRET_FIELDS) {
+      const value = out[field];
+      if (typeof value === "string" && value && !isEncryptedSecret(value)) {
+        out[field] = encryptSecret(value, this.encryptionKey);
+      }
+    }
+    return out;
+  }
+  /** Decrypt the credential fields of an SMS config after loading. */
+  decryptConfig(config) {
+    if (!this.encryptionKey) return config;
+    const out = { ...config };
+    for (const field of SMS_SECRET_FIELDS) {
+      const value = out[field];
+      if (typeof value === "string" && isEncryptedSecret(value)) {
+        try {
+          out[field] = decryptSecret(value, this.encryptionKey);
+        } catch {
+        }
+      }
+    }
+    return out;
+  }
   ensureTable() {
     if (this.initialized) return;
     try {
@@ -4518,18 +4717,19 @@ var SmsManager = class {
       this.initialized = true;
     }
   }
-  /** Get SMS config from agent metadata */
+  /** Get SMS config from agent metadata (credential fields decrypted). */
   getSmsConfig(agentId) {
     const row = this.db.prepare("SELECT metadata FROM agents WHERE id = ?").get(agentId);
     if (!row) return null;
     try {
       const meta = JSON.parse(row.metadata || "{}");
-      return meta.sms && meta.sms.enabled !== void 0 ? meta.sms : null;
+      if (!meta.sms || meta.sms.enabled === void 0) return null;
+      return this.decryptConfig(meta.sms);
     } catch {
       return null;
     }
   }
-  /** Save SMS config to agent metadata */
+  /** Save SMS config to agent metadata (credential fields encrypted). */
   saveSmsConfig(agentId, config) {
     const row = this.db.prepare("SELECT metadata FROM agents WHERE id = ?").get(agentId);
     if (!row) throw new Error(`Agent ${agentId} not found`);
@@ -4539,7 +4739,7 @@ var SmsManager = class {
     } catch {
       meta = {};
     }
-    meta.sms = config;
+    meta.sms = this.encryptConfig(config);
     this.db.prepare("UPDATE agents SET metadata = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(meta), agentId);
   }
   /**
@@ -4582,27 +4782,50 @@ var SmsManager = class {
     delete meta.sms;
     this.db.prepare("UPDATE agents SET metadata = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(meta), agentId);
   }
-  /** Record an inbound SMS (parsed from email) */
-  recordInbound(agentId, parsed) {
+  /** Find the agent whose SMS config owns a phone number. */
+  findAgentBySmsNumber(phoneNumber, provider) {
+    const normalized = normalizePhoneNumber(phoneNumber);
+    if (!normalized) return null;
+    const rows = this.db.prepare("SELECT id, metadata FROM agents").all();
+    for (const row of rows) {
+      try {
+        const meta = JSON.parse(row.metadata || "{}");
+        const cfg = meta.sms;
+        if (!cfg?.enabled) continue;
+        if (provider && cfg.provider !== provider) continue;
+        if (normalizePhoneNumber(cfg.phoneNumber) === normalized) {
+          return { agentId: row.id, config: this.decryptConfig(cfg) };
+        }
+      } catch {
+      }
+    }
+    return null;
+  }
+  /** Record an inbound SMS (parsed from email or provider webhook) */
+  recordInbound(agentId, parsed, metadata) {
     const id = `sms_in_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
     const createdAt = parsed.timestamp || (/* @__PURE__ */ new Date()).toISOString();
     this.db.prepare(
-      "INSERT INTO sms_messages (id, agent_id, direction, phone_number, body, status, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)"
-    ).run(id, agentId, "inbound", parsed.from, parsed.body, "received", createdAt);
-    return { id, agentId, direction: "inbound", phoneNumber: parsed.from, body: parsed.body, status: "received", createdAt };
+      "INSERT INTO sms_messages (id, agent_id, direction, phone_number, body, status, created_at, metadata) VALUES (?, ?, ?, ?, ?, ?, ?, ?)"
+    ).run(id, agentId, "inbound", parsed.from, parsed.body, "received", createdAt, JSON.stringify(metadata ?? {}));
+    return { id, agentId, direction: "inbound", phoneNumber: parsed.from, body: parsed.body, status: "received", createdAt, metadata };
   }
   /** Record an outbound SMS attempt */
-  recordOutbound(agentId, phoneNumber, body, status = "pending") {
+  recordOutbound(agentId, phoneNumber, body, status = "pending", metadata) {
     const id = `sms_out_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
     const now = (/* @__PURE__ */ new Date()).toISOString();
     const normalized = normalizePhoneNumber(phoneNumber) || phoneNumber;
     this.db.prepare(
-      "INSERT INTO sms_messages (id, agent_id, direction, phone_number, body, status, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)"
-    ).run(id, agentId, "outbound", normalized, body, status, now);
-    return { id, agentId, direction: "outbound", phoneNumber: normalized, body, status, createdAt: now };
-  }
-  /** Update SMS status */
-  updateStatus(id, status) {
+      "INSERT INTO sms_messages (id, agent_id, direction, phone_number, body, status, created_at, metadata) VALUES (?, ?, ?, ?, ?, ?, ?, ?)"
+    ).run(id, agentId, "outbound", normalized, body, status, now, JSON.stringify(metadata ?? {}));
+    return { id, agentId, direction: "outbound", phoneNumber: normalized, body, status, createdAt: now, metadata };
+  }
+  /** Update SMS status and optional provider metadata */
+  updateStatus(id, status, metadata) {
+    if (metadata) {
+      this.db.prepare("UPDATE sms_messages SET status = ?, metadata = ? WHERE id = ?").run(status, JSON.stringify(metadata), id);
+      return;
+    }
     this.db.prepare("UPDATE sms_messages SET status = ? WHERE id = ?").run(status, id);
   }
   /** List SMS messages for an agent */
@@ -4802,39 +5025,6 @@ var SmsPoller = class {
 };
 
 // src/gateway/manager.ts
-function deriveKey(key, salt) {
-  return scryptSync(key, salt, 32, { N: 16384, r: 8, p: 1 });
-}
-function encryptSecret(plaintext, key) {
-  const salt = randomBytes2(16);
-  const derivedKey = deriveKey(key, salt);
-  const iv = randomBytes2(12);
-  const cipher = createCipheriv("aes-256-gcm", derivedKey, iv);
-  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
-  const authTag = cipher.getAuthTag();
-  return `enc2:${salt.toString("hex")}:${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
-}
-function decryptSecret(value, key) {
-  if (value.startsWith("enc2:")) {
-    const parts = value.split(":");
-    if (parts.length !== 5) return value;
-    const [, saltHex, ivHex, authTagHex, ciphertextHex] = parts;
-    const derivedKey = deriveKey(key, Buffer.from(saltHex, "hex"));
-    const decipher = createDecipheriv("aes-256-gcm", derivedKey, Buffer.from(ivHex, "hex"));
-    decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
-    return Buffer.concat([decipher.update(Buffer.from(ciphertextHex, "hex")), decipher.final()]).toString("utf8");
-  }
-  if (value.startsWith("enc:")) {
-    const parts = value.split(":");
-    if (parts.length !== 4) return value;
-    const [, ivHex, authTagHex, ciphertextHex] = parts;
-    const keyHash = createHash("sha256").update(key).digest();
-    const decipher = createDecipheriv("aes-256-gcm", keyHash, Buffer.from(ivHex, "hex"));
-    decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
-    return Buffer.concat([decipher.update(Buffer.from(ciphertextHex, "hex")), decipher.final()]).toString("utf8");
-  }
-  return value;
-}
 var GatewayManager = class {
   constructor(options) {
     this.options = options;
@@ -6256,6 +6446,69 @@ function hostSessionStoragePath() {
   return storagePath();
 }
 
+// src/host-bridge.ts
+var BRIDGE_OPERATOR_LIVE_WINDOW_MS = 3e4;
+var DEFAULT_EXPIRED_MARKERS = [
+  "session not found",
+  "invalid session",
+  "session expired",
+  "no such session",
+  "unknown session",
+  "thread not found",
+  "invalid thread",
+  "thread expired",
+  "no such thread",
+  "unknown thread"
+];
+var DEFAULT_SDK_MISSING_MARKERS = [
+  "cannot find module",
+  "could not be found",
+  "command not found"
+];
+function bridgeWakeErrorMessage(err) {
+  return err?.message ?? String(err);
+}
+function classifyResumeError(err, options = {}) {
+  const msg = bridgeWakeErrorMessage(err).toLowerCase();
+  const expiredMarkers = options.expiredMarkers ?? DEFAULT_EXPIRED_MARKERS;
+  const sdkMissingMarkers = options.sdkMissingMarkers ?? DEFAULT_SDK_MISSING_MARKERS;
+  if (expiredMarkers.some((marker) => msg.includes(marker))) return "session-expired";
+  if (sdkMissingMarkers.some((marker) => msg.includes(marker))) return "sdk-missing";
+  return "other";
+}
+function bridgeWakeLastSeenAgeMs(session, nowMs = Date.now()) {
+  if (!session) return null;
+  return nowMs - session.lastSeenMs;
+}
+function shouldSkipBridgeWakeForLiveOperator(session, nowMs = Date.now(), liveWindowMs = BRIDGE_OPERATOR_LIVE_WINDOW_MS) {
+  const ageMs = bridgeWakeLastSeenAgeMs(session, nowMs);
+  return ageMs !== null && ageMs < liveWindowMs;
+}
+function composeBridgeWakePrompt(args) {
+  const subject = args.subject ?? "(no subject)";
+  const from = args.from ?? "unknown";
+  const preview = (args.preview ?? "").slice(0, 600);
+  return [
+    `\u{1F380} Bridge mail arrived \u2014 headless wake.`,
+    "",
+    `You are being resumed against your last session because new mail landed in your bridge inbox (${args.bridgeName}@localhost) and you weren't actively at the keyboard.`,
+    "",
+    `Trigger:`,
+    `  UID:     ${args.uid}`,
+    `  From:    ${from}`,
+    `  Subject: ${subject}`,
+    `  Preview: ${preview}`,
+    "",
+    `Read it with mcp__agenticmail__read_email({ uid: ${args.uid} }) and decide:`,
+    `  \xB7 Does it need a reply from YOU (the operator's session)? Reply via mcp__agenticmail__reply_email.`,
+    `  \xB7 Does it need a teammate to act? Forward / re-route by replying with wake: ["<teammate>"].`,
+    `  \xB7 Is it [NEEDS OPERATOR] / [BLOCKED]? Then it's actually for the human \u2014 mark it unread, and the operator will see it on their next keystroke.`,
+    `  \xB7 Is it FYI noise? mark_read and exit.`,
+    "",
+    `Keep this turn SHORT. You're being resumed to handle ONE piece of mail, not to continue the prior conversation.`
+  ].join("\n");
+}
+
 // src/util/safe-url.ts
 var UnsafeApiUrlError = class extends Error {
   constructor(raw, reason) {
@@ -7947,6 +8200,7 @@ export {
   AgentDeletionService,
   AgentMemoryStore,
   AgenticMailClient,
+  BRIDGE_OPERATOR_LIVE_WINDOW_MS,
   CloudflareClient,
   DEFAULT_AGENT_NAME,
   DEFAULT_AGENT_ROLE,
@@ -7977,10 +8231,14 @@ export {
   UnsafeApiUrlError,
   WARNING_THRESHOLD,
   assertWithinBase,
+  bridgeWakeErrorMessage,
+  bridgeWakeLastSeenAgeMs,
   buildApiUrl,
   buildInboundSecurityAdvisory,
   classifyEmailRoute,
+  classifyResumeError,
   closeDatabase,
+  composeBridgeWakePrompt,
   createTestDatabase,
   debug,
   debugWarn,
@@ -7990,11 +8248,13 @@ export {
   forgetHostSession,
   getDatabase,
   getOperatorEmail,
+  getSmsProvider,
   hostSessionStoragePath,
   isInternalEmail,
   isSessionFresh,
   isValidPhoneNumber,
   loadHostSession,
+  mapProviderSmsStatus,
   normalizeAddress,
   normalizePhoneNumber,
   normalizeSubject,
@@ -8004,6 +8264,7 @@ export {
   recordToolCall,
   redactObject,
   redactSecret,
+  redactSmsConfig,
   resolveConfig,
   safeJoin,
   sanitizeEmail,
@@ -8013,6 +8274,7 @@ export {
   scoreEmail,
   setOperatorEmail,
   setTelemetryVersion,
+  shouldSkipBridgeWakeForLiveOperator,
   startRelayBridge,
   threadIdFor,
   tryJoin,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/core",
-  "version": "0.9.8",
+  "version": "0.9.10",
   "description": "Core SDK for AgenticMail — email, SMS, and phone number access for AI agents",
   "type": "module",
   "main": "dist/index.js",